Open tonmoy71 opened 8 years ago
I think this is supposed to be fixed in #71
Okay, now I understand. Yes, thats an horizontal session scaling issue. Hold on
Do these here as I need to know how claims are working here.
@thehoneymad , I have followed the 4 steps described by you. Yes the old token can get the same resource.
It is supposed to, thats how claims work. Its definitely a refresh token issue. Please rename the issue accordingly.
Background
In Facebook and similar websites, when a user is logged in several tabs and he/she logs out from one tab, all other tabs get notified that the user has been logged out and prompts a login dialog.
In taskcat, whether a user is logged in or not is understood by json token. Say user X is logged in in pc1. Now if he login from another pc2, a new json token will be retrieved on behalf of him and the token saved in pc1 will be expired. So all the authorized calls from pc1 will get a 401 error.
The json tokens expired automatically after a certain time, in that case too, the token saved in his browser's local storage will not be applicable in the authorized api call.
Observed Problem
In the above-mentioned scenario, WebCat does not let the user log in and does not show any alert/prompt to log in again. It shows the following error as the access token gets invalid and the user becomes unauthorized.
Also, if a user manually logout and log in again, the api calls keep using the old saved token. If a manual browser refresh triggered, only then the api calls retrieved the latest token from the browser and are able to call the authorized api.
Problem found in http://gofetch.cloudapp.net:8000/#/home